Several new wireless technologies, such as Wi-Fi extensions Wi-Fi Direct services (see ref[1]), Application Service Platform (ASP), Wi-Fi Aware, and IEEE 802.11aq, or other wireless communication systems such as Bluetooth or Zigbee, offer mechanisms for devices to advertise and seek services that are made accessible through Wi-Fi. In this document the words providing services are used for the general concept of a device offering and making available a function, service or application to be used by another device. Thereto service providing devices, called service providers, can use beacons and management frames to advertise services in service advertising messages including information about available services. Devices seeking such a service, called service seekers, may receive a service advertising message and perform service discovery to get additional information about the services, such as the service name, advertisement ID, service specific information. Devices advertising services may provide information about which Wi-Fi Protected Setup (WPS) configuration method are supported by the device, for example in basic Wi-Fi P2P. This may also be done per service. If a service seeker has found an interesting service to connect to, the discovered information can be used by a service seeker to set up a connection with the respective service provider and start using the discovered service.
In order to set up a connection between the service seeker and the service provider, the service seeker has to perform an authentication step with the service provider, for example using one of the Wi-Fi Protected Setup configuration methods, such as Push button, entering PIN code, NFC, or using WFDS Default configuration method using a fixed PIN, or using for example 802.1x RADIUS authentication. The authentication step may result in a shared key for use in the link protection (link encryption and integrity protection) and the selection of a security protocol and cryptographic algorithm sets. Examples of security protocols are WPA2-Personal, WPA-Enterprise, WEP.
Wired Equivalent Privacy (WEP) is a security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in 1997, its intention was to provide data confidentiality comparable to that of a traditional wired network.
WPA-Personal is also referred to as WPA-PSK (pre-shared key) mode, this is designed for home and small office networks and doesn't require an authentication server. Each wireless network device encrypts the network traffic using a 256 bit key. This key may be entered either as a string of 64 hexadecimal digits, or as a passphrase of 8 to 63 printable ASCII characters. If ASCII characters are used, the 256 bit key is calculated by applying a key derivation function to the passphrase. WPA-Personal mode is available with both WPA and WPA2.
WPA-Enterprise is also referred to as WPA-802.1X mode, and sometimes just WPA (as opposed to WPA-PSK), this is designed for enterprise networks and requires a RADIUS authentication server. This requires a more complicated setup, but provides additional security (e.g. protection against dictionary attacks on short passwords). Various kinds of the Extensible Authentication Protocol (EAP) are used for authentication. WPA-Enterprise mode is available with both WPA and WPA2.
WPA (sometimes referred to as the draft IEEE 802.11i standard) became available in 2003. The Wi-Fi Alliance intended it as an intermediate measure in anticipation of the availability of the more secure and complex WPA2. WPA2 became available in 2004 and is common shorthand for the full IEEE 802.11i (or IEEE 802.11i-2004) standard. IEEE 802.11i-2004 has been incorporated into IEEE 802.11 (2012) (see ref [2]).
Examples of cryptographic operations are AES, DES, 3DES, RC4, RSA, ECC (for encryption), HMAC_SHA256 (keyed hash function for integrity protection), and MD5, SHA1, SHA2 (hash functions).
AES is based on the Rijndael cipher developed by Joan Daemen and Vincent Rijmen, who submitted a proposal to NIST during the AES selection process. Rijndael is a family of ciphers with different key and block sizes, as described in “Daemen, Joan; Rijmen, Vincent: AES Proposal (Mar. 9, 2003)”, available from http://csrc.nist.gov/archive/aes/rijndael/Rijndael-ammended.pdf.
DES was approved as a US federal standard in November 1976, and published on 15 Jan. 1977 as FIPS PUB 46, authorized for use on all unclassified data. It was subsequently reaffirmed as the standard in 1983, 1988 (revised as FIPS-46-1), 1993 (FIPS-46-2, http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf), and again in 1999 (FIPS-46-3, http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf), the latter prescribing “Triple DES” also called 3DES.
Encryption/decryption, asymmetric key RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem. RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman. Rivest, R.; Shamir, A.; Adleman, L. (February 1978). “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems” (PDF). Communications of the ACM 21 (2): 120-126.
RC4 stands for “Rivest Cipher 4” and was designed by Ron Rivest of RSA Security in 1987. RC4 was initially a trade secret. A description can be found on https://en.wikipedia.org/wiki/RC4
Elliptic curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC requires smaller keys compared to non-ECC cryptography (based on plain Galois fields) to provide equivalent security. Elliptic curves are applicable for encryption, digital signatures, pseudo-random generators and other tasks. See e.g. NIST, Recommended Elliptic Curves for Government Use.
Keyed hash functions for integrity protection include HMAC-SHA256. HMAC-SHA256 is a keyed-hash message authentication code (HMAC) that uses SHA256 as the cryptographic hash function. An HMAC is a specific construction for calculating a message authentication code (MAUC) involving a cryptographic hash function in combination with a secret cryptographic key. As with any MAUC, it may be used to simultaneously verify both the data integrity and the authentication of a message. HMAC can be used with any of the following cryptographic hash functions.
A key aspect of cryptographic hash functions is their collision resistance: nobody should be able to find two different input values that result in the same hash output. By comparing the computed “hash” (the output from execution of the algorithm) to a known and expected hash value, a person can determine the data's integrity. Example are the following.
The MD5 message-digest algorithm is a cryptographic hash function producing a 128-bit hash value. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 and is described in RFC 1321.
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST, see http://csrc.nist.gov/publications/fips/fips180-4/fips-180-4.pdf.
SHA-2 (Secure Hash Algorithm 2) is a set of cryptographic hash functions designed by the NSA. SHA stands for Secure Hash Algorithm. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256, see http://www.staff.science.uu.n1/˜werkh108/docs/study/Y5_07_08/infocry/project/Cryp08.pdf.
Usually, a set of cryptographic operations is used in a security protocol. Once the authentication and security protocol are completed, the service seeker and service provider are successfully connected through Wi-Fi. The sequence of steps to arrive at this connected state is called a security mechanism. After execution of the applicable security mechanism the higher layer communication can be initiated between the seeker and service provider to start using the services offered by the service provider, i.e. using application layer protocols on top of the MAC.
Once the service seeker and service provider are connected via a link layer connection, e.g. using Wi-Fi, the service seeker may not only be able to access the initial service of the service provider to which the seeker wanted to use, it may also try to access other services on the service provider through any application layer protocol. The service provider may however block such other services. For example, the service provider may have some firewall to block certain types of traffic or block access to specific IP ports. For example in Wi-Fi Direct services, ports are blocked until the service seeker requests a session with a particular service by sending an ASP REQUEST_SESSION message. However, firewalls usually block communication based on the type of application and/or protocol, or block based on certain IP address ranges as source or destination of the communication.
US2015/0373765 describes wireless communication and providing an application service platform (ASP) via WiFi Direct. On the ASP layer multiple services may be engaged, while a single P2P connection is established on Wi-Fi Direct level.
US2013/0111041 describes establishing a wireless connection between mobile devices. Security protocols may be applied when transmitting user information. After exchange of user information, the devices may establish a direct data-link. The direct data-link enables the devise to transmit data without associating to a network and perform authentication protocols or higher level security frames, and may co-exist with an existing connection to a network.
Document “Daniel Camps-Mur ET AL: “Device to device communications with Wi-Fi Direct: overview and experimentation, XP055101759” describes the Wi-Fi Direct extension of the Wi-Fi standard. Security is discussed, and refers to various well-known security protocols for Wi-Fi Protected Setup (WPS).